WordPress Bloggers Beware: You're Easy Pickings For Cybercriminals

Dozens of unpatched vulnerabilities in the WordPress blogging platform and potentially hundreds in third-party components are making easy pickings for cybercriminals, according to security researchers at Dell-SecureWorks, who urged bloggers to apply updates.

Researchers at Dell-SecureWorks said failing to apply WordPress updates is a widespread problem among the blogging platform's user base, estimated to be supporting 64 million websites. A recent spate of attacks targeting third-party plug-ins, including one targeting a popular caching engine, has made patching even more critical for WordPress users, wrote Dennis Dwyer, a researcher at Dell-SecurWorks in a warning issued this week.

"Although WordPress is considered a mature platform, regular updates address serious security vulnerabilities that may be used by an attacker targeting a WordPress site," Dwyer wrote.

Security researchers detected a wave of WordPress attacks last month, with thousands of websites impacted by the campaign. Attackers were brute-forcing admin passwords in an attempt to gain access to hosting provider servers.

The problem of poorly maintained WordPress installations can stem from hosting providers, which sometimes supply customers with preinstalled versions of the platform, according to Dwyer.

"Given the potential for harm in using outdated software, look for WordPress exploits to become more of an issue in the future, especially for shared hosting providers," Dwyer wrote.

Jeremiah Grossman, founder and CTO of WhiteHat Security, told CRN that WordPress sites are not managed well, allowing a single attacker to easily infect thousands of sites in a single attack campaign with an automated toolkit.

"WordPress is built in PHP so you're absolutely going to have cross-site scripting and SQL injection errors," Grossman said.

PHP-coded sites also are prone to remote file inclusion vulnerabilities, which can open the site up to attacks using malicious JavaScript, code execution on the Web server and potentially data theft. "It's pretty specific to PHP and it's a way to get command access to the application and initiate local system commands," Grossman said.

Most WordPress sites are infected by phishers, who use them to host malicious code that infects visitors with malware. Exploits targeting flaws are sometimes easily obtainable, according to Dell-SecureWorks' Dwyer. The Metasploit penetration framework includes several modules targeting cross-site scripting vulnerabilities in WordPress sites.

"The existence of these exploit modules makes it easier for an unskilled attacker to launch attacks and underscores the importance of keeping WordPress up to date," Dwyer wrote.

Dell-SecureWorks' Dwyer recommends WordPress users implement strong password policies and abide by a regular update schedule. WordPress typically issues an update every six months, while third-party plug-ins may be updated at any time, Dwyer said. WordPress provides an auto-update feature, but the functionality doesn't always work, he said. Users also can refer to the Hardening WordPress guide maintained by the platform.